Stolen Code-Signing Certificates Worth $1,200 on Dark Web: Report

Code-signing certificates are selling on the dark web for up to $1,200, making them more expensive than many counterfeit U.S. passports, stolen credit cards and handguns, according to research released Tuesday by key and certificate management company Venafi and the Cyber Security Research Institute (CSRI).

There is a near-consensus among CIOs (86 percent) that the potential value of cryptographic keys and digital certificates to cybercriminals make them the next big online black market, according to the research.

The value of stolen code-signing certificates for enabling man-in-the-middle attacks, hiding in encrypted traffic, malware installation, sensitive data exfiltration, website spoofing, and escalating privileges makes them valuable to malicious actors. The dark web price of $1,200 for a code-signing certificate is roughly the same as a counterfeit U.S. passport, and equivalent to 12 targeted email account hacks or 48 targeted DDoS attacks, Venafi says.

“Our research proves that code signing certificates are lucrative targets for cyber criminals,” said Kevin Bocek, chief security strategist for Venafi. “With stolen code signing certificates, it’s nearly impossible for organizations to detect malicious software. In addition, code signing certificates can be sold many times over before their value begins to diminish, making them huge money makers for hackers and dark web merchants. All of this is fuelling the demand for stolen code signing certificates.”

Venafi notes that Intel predicted in 2014 that the black market for certificates would grow. Dimension Research previously showed a significant increase in certificate usage at 86 percent of organizations, and certificate use growth of 35 percent or more in 2017, while IDC research suggests there will a five-fold increase from 2015 to 2020 in the number of devices needing keys and certificates to more than 30 billion.

Numerous sets of tax returns along with other personally identifiable information were discovered for sale on the dark web for $40 by IBM security researchers earlier this year. The kind of risk that goes along with such marketplaces has led to the development of dark web monitoring tools like Dark Web ID for sale through MSPs.